Showing papers by "Eran Tromer published in 2005"

Cache attacks and Countermeasures: the Case of AES.

Abstract: We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures for mitigating such attacks.

Scalable hardware for sparse systems of linear equations, with applications to integer factorization

Abstract: Motivated by the goal of factoring large integers using the Number Field Sieve, several special-purpose hardware designs have been recently proposed for solving large sparse systems of linear equations over finite fields using Wiedemann's algorithm. However, in the context of factoring large (1024-bit) integers, these proposals were marginally practical due to the complexity of a wafer-scale design, or alternatively the difficulty of connecting smaller chips by a huge number of extremely fast interconnects. In this paper we suggest a new special-purpose hardware device for the (block) Wiedemann algorithm, based on a pipelined systolic architecture reminiscent of the TWIRL device. The new architecture offers simpler chip layout and interconnections, improved efficiency, reduced cost, easy testability and greater flexibility in using the same hardware to solve sparse problems of widely varying sizes and densities. Our analysis indicates that standard fab technologies can be used in practice to carry out the linear algebra step of factoring 1024-bit RSA keys. As part of our design but also of independent interest, we describe a new error-detection scheme adaptable to any implementation of Wiedemann's algorithm. The new scheme can be used to detect computational errors with probability arbitrarily close to 1 and at negligible cost.

Scalable hardware for sparse systems of linear equations, with applications to integer factorization

Abstract: Motivated by the goal of factoring large integers using the Number Field Sieve, several special-purpose hardware designs have been recently proposed for solving large sparse systems of linear equations over finite fields using Wiedemann's algorithm However, in the context of factoring large (1024-bit) integers, these proposals were marginally practical due to the complexity of a wafer-scale design, or alternatively the difficulty of connecting smaller chips by a huge number of extremely fast interconnects In this paper we suggest a new special-purpose hardware device for the (block) Wiedemann algorithm, based on a pipelined systolic architecture reminiscent of the TWIRL device The new architecture offers simpler chip layout and interconnections, improved efficiency, reduced cost, easy testability and greater flexibility in using the same hardware to solve sparse problems of widely varying sizes and densities Our analysis indicates that standard fab technologies can be used in practice to carry out the linear algebra step of factoring 1024-bit RSA keys As part of our design but also of independent interest, we describe a new error-detection scheme adaptable to any implementation of Wiedemann's algorithm The new scheme can be used to detect computational errors with probability arbitrarily close to 1 and at negligible cost

Efficiently constructible huge graphs that preserve first order properties of random graphs

Abstract: We construct efficiently computable sequences of random-looking graphs that preserve properties of the canonical random graphs G (2n,p(n)). We focus on first-order graph properties, namely properties that can be expressed by a formula φ in the language where variables stand for vertices and the only relations are equality and adjacency (e.g. having an isolated vertex is a first-order property ∃x∀y(¬EDGE(x, y))). Random graphs are known to have remarkable structure w.r.t. first order properties, as indicated by the following 0/1 law: for a variety of choices of p(n), any fixed first-order property φ holds for G (2n,p(n)) with probability tending either to 0 or to 1 as n grows to infinity. We first observe that similar 0/1 laws are satisfied by G (2n,p(n)) even w.r.t. sequences of formulas {φn}n∈ℕ with bounded quantifier depth, ${\it depth}(\phi_{n}) \leq {\frac {1}{{\rm lg} (1/p(n))}}$. We also demonstrate that 0/1 laws do not hold for random graphs w.r.t. properties of significantly larger quantifier depth. For most choices of p(n), we present efficient constructions of huge graphs with edge density nearly p(n) that emulate G (2n,p(n)) by satisfying ${\it \Theta} ({\frac {1}{{\rm lg} (1/p(n))}})-0/1$ laws. We show both probabilistic constructions (which also have other properties such as K-wise independence and being computationally indistinguishable from G (N,p(n)) ), and deterministic constructions where for each graph size we provide a specific graph that captures the properties of G (2n,p(n)) for slightly smaller quantifier depths.

Improved routing-based linear algebra for the number field sieve

Abstract: Efficient custom-hardware designs were proposed for the linear algebra step of the number field sieve integer factoring algorithm. These designs make use of a heuristic mesh routing algorithm, whose performance has been analyzed only experimentally. We show that the routing algorithm may in fact encounter livelocks, i.e., may never terminate. We propose a context-specific solution for this problem. We also show how efficiency can be improved by a factor of /spl ap/ 4 through the use of a parallel tori topology and packet injection during routing.

Special-Purpose Hardware for Factoring: the NFS Sieving Step

Abstract: In the quest for factorization of larger integers, the present bottleneck is the sieving step of the Number Field Sieve algorithm. Several special-purpose hardware architectures have been proposed for this step: TWINKLE (based on electro-optics), mesh circuits (based on two-dimensional systolic arrays) and TWIRL (based on parallel processing pipelines). For 1024-bit composites, the use of such special-purpose hardware has reduced the predicted cost of factorization by 5-6 orders of magnitude. We review the proposed architectures, their cost, and their various approaches to exploiting the flexibility of custom hardware.